CSI Opuwo

It’s finally happened – today I was helping police with their enquiries in Opuwo.

Previously on CSI Opuwo…

A few months ago a spate of burglaries took place in Opuwo which resulted in, among other things, a number of laptops being stolen.

Some of these were from the Peace Corps house and one was from the house of the Chief Accountant here in the hospital.

The police later raided an address and recovered numerous items including several laptops.

The Peace Corps, with their serial numbers all written down, were able to identify and reclaim theirs straight away. Unfortunately our accountant didn’t have a record of the serial number and when he inspected the laptop the username had been changed and his files deleted.

As such the police weren’t willing to return the laptop to him without proof of ownership.

In This Exciting Episode of CSI Opuwo…

Having been watching some quality crime-related stuff recently (Ronin, the Sopranos, the Wire and a few CSIs) I was naturally expecting to get issued with a gun (or two) and then take to the streets hunting for the perps before getting a confession from them at all costs.

Failing that at the very least my examination of the laptop should turn up some darker conspiracy, perhaps involving the Vatican or the President (“but it says here the date for the assassination is… my god… tomorrow morning at 9am”) whereupon I’d get a gun (or two) and then take to the streets squealing cars round corners, shouting into radio mikes and hunting for the perps before resolving the situation at all costs.

I would play by no rules but my own twisted ethics, barging aside all who stood in my way and corrupting those necessary to get to the sordid truth of the matter. Stopping at nothing. Stopped by no-one. A law unto myself.

Absolute worst case I figured that I’d get a gun (or two) and then take to the streets looking for clues and patterns in the tangle of evidence, rolling my way up the chain one perp at a time, fighting against my own departments inaction and the bureaucracy that always seems to work on the side of the bad guys, until finally nailing Mr Big with a stunning piece of courtroom double-cross.

Oh yeah.

Of course what actually happened was I went to the police station, discovered the laptop had no power, went back to the office to fetch a suitable power supply (luckily had one). Switched the laptop on. Logged in and immediately found the accountant’s surname in a folder.

“Good enough for me” said the Detective.

Case closed. Well rather 30 seconds of examination, 30 minutes of written statement and then case closed.

I did offer my services for any future computer forensics work they might need but I think in Opwuo this doesn’t arise very often.

On the Technical Side

If you’re not a tecchie you can stop reading now (unless you have already of course)

I got involved after the accountant and another chap from the hospital had already been to the police station to try and identify the laptop. I was told that his “files had been deleted” and the “username changed” so there was no obvious proof of ownership.

I prepared myself with a number of freely available (and seemingly quite good – in my trials they found all of my, ahem, cached and then deleted items).

At home obviously das Babylon would do it themselves and if I needed to do something similar would go about it very differently probably whipping the drive out and imaging or some such but TIN and I have no money or access to connection converters etc.

My plan was to fire up, first have a look at the user structure seeing if there was anything obvious, failing that run a deleted files recovery and poke around the registry with a search for the chaps name (no doubt endless pieces of software would be installed storing install locations and registered users in that black hole of sin).

On finally finding a suitable power supply and booting up I was met with a user called “C-Pax” or something bizarre which was password protected and a guest user.

Alas I thought I’m now going to have to hack Vista which though I’ve never done I’m sure is a google search away.

However sitting in C:\Users are two directories – one for the guest and one in the exact name of the accountant (user renaming obviously doesn’t change the user directory name).

Bosh. 30 seconds.

I was quite disappointed in a way, was looking forward to hacking my way into the admin account and then running file recovery utilities. I would, by law, have had to change the colour scheme so the terminals were green-on-black. Oh, I’d also have needed a wall of TFT monitors and been listening to thrash metal whilst typing simultaneously like a nutter on six keyboards.

So probably a bit of luck.

It does raise an interesting point though – password protection.

The accountant’s user had not been password protected. I would normally have said “you fool” but… consider this;

The laptop wasn’t stolen for his files or data. If his user had been password protected (along with no open admin account) then in all probability the thieves would have just reinstalled a fresh vista (with nice legit licence key from the bottom) or XP wiping the hard drive (much easier than hacking your way in and then going about renaming the account etc).

Because his account wasn’t locked it was easily accessed, files deleted and renamed.

Leaving the evidence behind that enabled it to be identified by the Opuwo Computer Forensic Investigation Team (me).

So I suppose he was kind of lucky for that.

Not as “lucky” as he would have been if he’d recorded the serial number or marked the laptop with a UV pen of course.